We help IT Professionals succeed at work.
Get Started

Centos 7 DNS server not replying to clients

hbaber
hbaber asked
on
1,635 Views
Last Modified: 2017-03-29
What have I missed?  

I am trying to configure a local DNS server in CentOS 7 and It appears that queries from the server are working to outside but clients are not getting responses from local server.  I can see the request coming in via tcpdump but local server isn't performing the query and replying to client.  



From server:
[root@zotac etc]# nslookup
> server
Default server: 10.30.3.5
Address: 10.30.3.5#53
> cnn.com
Server:         10.30.3.5
Address:        10.30.3.5#53

Non-authoritative answer:
Name:   cnn.com
Address: 151.101.64.73
Name:   cnn.com
Address: 151.101.192.73
Name:   cnn.com
Address: 151.101.0.73
Name:   cnn.com
Address: 151.101.128.73

[root@zotac etc]# netstat -lnp | grep named
tcp        0      0 10.30.3.5:53            0.0.0.0:*               LISTEN      10028/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      10028/named
udp        0      0 10.30.3.5:53            0.0.0.0:*                           10028/named
[root@zotac etc]#

Open in new window



From Windows client:
c:\>nslookup cnn.com.
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.30.3.5

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Open in new window


Server sees response but not forwarded to forwarding servers
[root@zotac ~]# tcpdump -vvv -s 0 -l -n port 53 -i enp2s0 | grep cnn.com
tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 65535 bytes
    10.30.3.253.55238 > 10.30.3.5.domain: [udp sum ok] 2+ A? cnn.com. (25)
    10.30.3.253.55239 > 10.30.3.5.domain: [udp sum ok] 3+ AAAA? cnn.com. (25)

Open in new window


I expect to see a query to ext DNS and/or reply from local DNS to client.


[root@zotac etc]# cat named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl "trusted" {
 10.30.3.0/24;
};

options {
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query { trusted; };
        allow-transfer { 10.30.3.5;};

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        forwarders {
                8.8.8.8;
                8.8.4.4;
                };
        forward first;
        listen-on port 53 {
                10.30.3.5;
                };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

key rndc-key {
        algorithm hmac-md5;
        secret "secretpassword";
        };
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
        };
zone "kfs.local" IN {
        type master;
        file "/var/named/kfs.local.hosts";
        allow-update { none; };
        };
zone "10.30.3.in-addr.arpa" {
        type master;
        file "/var/named/3.30.10.rev";
        };
[root@zotac etc]#

Open in new window

Comment
Watch Question
PowerShell Developer
CERTIFIED EXPERT
Top Expert 2010
Commented:
This problem has been solved!
Unlock 1 Answer and 3 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE